Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi,
I would like to ask pre-approval to upload owncloud 4.0.4debian2-3.1 to
testing-proposed-updates. It fixes bug #693990 (multiple security
issues). The debdiff is attached.
This bug has been fixed in unstable with a similar patch in version
4.0.8debian-1.1. I had to adopt 07_oc-sa-2012-002.patch and backport a
helper function from the unstable upstream version.
Cheers,
Michael
diff -Nru owncloud-4.0.4debian2/debian/changelog
owncloud-4.0.4debian2/debian/changelog
--- owncloud-4.0.4debian2/debian/changelog 2012-09-22 18:36:17.000000000
+0200
+++ owncloud-4.0.4debian2/debian/changelog 2012-12-04 22:45:50.000000000
+0100
@@ -1,3 +1,16 @@
+owncloud (4.0.4debian2-3.1) testing-proposed-updates; urgency=high
+
+ * Non-maintainer upload, fixes several security issues (Closes: #693990).
+ * debian/patches/06_oc-sa-2012-001.patch: Fix multiple XSS vulnerabilities.
+ * debian/patches/07_oc-sa-2012-002.patch: Fix timing attack.
+ * debian/patches/08_oc-sa-2012-004.patch: Fix code execution in migrate.php.
+ * debian/patches/09_oc-sa-2012-005.patch: Fix code execution in
+ filesystem.php.
+ * debian/pathes/07_oc-sa-2012-002.patch: Backport generate_random_bytes()
+ function from 4.0.8 release.
+
+ -- Michael Banck <mba...@debian.org> Tue, 04 Dec 2012 22:22:39 +0100
+
owncloud (4.0.4debian2-3) testing-proposed-updates; urgency=high
* debian/patches:
diff -Nru owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
--- owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/06_oc-sa-2012-001.patch
2012-12-04 22:47:34.000000000 +0100
@@ -0,0 +1,49 @@
+Index: owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
+===================================================================
+--- owncloud-4.0.4debian2.orig/3rdparty/fullcalendar/js/fullcalendar.js
2012-12-04 22:43:43.296931413 +0100
++++ owncloud-4.0.4debian2/3rdparty/fullcalendar/js/fullcalendar.js
2012-12-04 22:47:26.874081078 +0100
+@@ -4662,7 +4662,7 @@
+ "</span>";
+ }
+ html +=
+- "<span class='fc-event-title'>" + event.title +
"</span>" +
++ "<span class='fc-event-title'>" +
htmlEscape(event.title) + "</span>" +
+ "</div>";
+ if (seg.isEnd && isEventResizable(event)) {
+ html +=
+@@ -5220,5 +5220,5 @@
+ };
+
+ }
+-
++
+ })(jQuery);
+Index: owncloud-4.0.4debian2/apps/files/js/filelist.js
+===================================================================
+--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-04
22:47:26.810080751 +0100
++++ owncloud-4.0.4debian2/apps/files/js/filelist.js 2012-12-04
22:47:26.874081078 +0100
+@@ -14,9 +14,9 @@
+ var extension=false;
+ }
+ html+='<td class="filename"
style="background-image:url('+img+')"><input type="checkbox" />';
+- html+='<a class="name"
href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/,
'>')+'/'+name+'"><span class="nametext">'+basename
++ html+='<a class="name"
href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/,
'>')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename);
+ if(extension){
+- html+='<span class="extension">'+extension+'</span>';
++ html+='<span
class="extension">'+escapeHTML(extension)+'</span>';
+ }
+ html+='</span></a></td>';
+ if(size!='Pending'){
+Index: owncloud-4.0.4debian2/apps/files_versions/js/versions.js
+===================================================================
+--- owncloud-4.0.4debian2.orig/apps/files_versions/js/versions.js
2012-12-04 22:43:43.296931413 +0100
++++ owncloud-4.0.4debian2/apps/files_versions/js/versions.js 2012-12-04
22:47:26.874081078 +0100
+@@ -36,7 +36,7 @@
+
+ var historyUrl = OC.linkTo('files_versions', 'history.php') +
'?path='+encodeURIComponent( $( '#dir' ).val() ).replace( /%2F/g, '/'
)+'/'+encodeURIComponent( filename );
+
+- var html = '<div id="dropdown" class="drop" data-file="'+files+'">';
++ var html = '<div id="dropdown" class="drop"
data-file="'+escapeHTML(files)+'">';
+ html += '<div id="private">';
+ html += '<select data-placeholder="Saved versions" id="found_versions"
class="chzen-select" style="width:16em;">';
+ html += '<option value=""></option>';
diff -Nru owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch
owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch
--- owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch
1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/07_oc-sa-2012-002.patch
2012-12-04 22:47:37.000000000 +0100
@@ -0,0 +1,65 @@
+Index: owncloud-4.0.4debian2/core/lostpassword/resetpassword.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/core/lostpassword/resetpassword.php
2012-12-04 22:47:31.174103213 +0100
++++ owncloud-4.0.4debian2/core/lostpassword/resetpassword.php 2012-12-04
22:47:36.618131274 +0100
+@@ -10,7 +10,7 @@
+ require_once('../../lib/base.php');
+
+ // Someone wants to reset their password:
+-if(isset($_GET['token']) && isset($_GET['user']) &&
OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') ===
$_GET['token']) {
++if(isset($_GET['token']) && isset($_GET['user']) &&
OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') ===
hash("sha256", $_GET['token'])) {
+ if (isset($_POST['password'])) {
+ if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
+ OC_Preferences::deleteKey($_GET['user'], 'owncloud',
'lostpassword');
+Index: owncloud-4.0.4debian2/lib/util.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/util.php 2012-12-04 22:47:31.174103213
+0100
++++ owncloud-4.0.4debian2/lib/util.php 2012-12-04 22:47:36.622131291 +0100
+@@ -459,8 +459,31 @@
+
+ }
+
+-
++ /*
++ * @brief Generates random bytes with "openssl_random_pseudo_bytes"
with a fallback for systems without openssl
++ * Inspired by gorgo on php.net
++ * @param Int with the length of the random
++ * @return String with the random bytes
++ */
++ public static function generate_random_bytes($length = 30) {
++ if(function_exists('openssl_random_pseudo_bytes')) {
++ $pseudo_byte =
bin2hex(openssl_random_pseudo_bytes($length, $strong));
++ if($strong == TRUE) {
++ return substr($pseudo_byte, 0, $length); //
Truncate it to match the length
++ }
++ }
+
++ // fallback to mt_rand()
++ $characters = '0123456789';
++ $characters .=
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
++ $charactersLength = strlen($characters)-1;
++ $pseudo_byte = "";
+
++ // Select some random characters
++ for ($i = 0; $i < $length; $i++) {
++ $pseudo_byte .= $characters[mt_rand(0,
$charactersLength)];
++ }
++ return $pseudo_byte;
++ }
+ }
+
+Index: owncloud-4.0.4debian2/core/lostpassword/index.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/core/lostpassword/index.php 2012-12-04
22:47:31.174103213 +0100
++++ owncloud-4.0.4debian2/core/lostpassword/index.php 2012-12-04
22:47:36.622131291 +0100
+@@ -13,8 +13,8 @@
+ // Someone lost their password:
+ if (isset($_POST['user'])) {
+ if (OC_User::userExists($_POST['user'])) {
+- $token = sha1($_POST['user'].md5(uniqid(rand(), true)));
+- OC_Preferences::setValue($_POST['user'], 'owncloud',
'lostpassword', $token);
++ $token = hash("sha256",
OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
++ OC_Preferences::setValue($_POST['user'], 'owncloud',
'lostpassword', hash("sha256", $token)); // Hash the token again to prevent
timing attacks
+ $email = OC_Preferences::getValue($_POST['user'], 'settings',
'email', '');
+ if (!empty($email) and isset($_POST['sectoken']) and
isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
+ $link = OC_Helper::linkToAbsolute('core/lostpassword',
'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;
diff -Nru owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch
owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch
--- owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch
1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/08_oc-sa-2012-004.patch
2012-12-04 22:19:55.000000000 +0100
@@ -0,0 +1,91 @@
+Index: owncloud-4.0.4debian2/lib/migrate.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/migrate.php 2012-12-04 21:56:35.000000000
+0100
++++ owncloud-4.0.4debian2/lib/migrate.php 2012-12-04 22:19:42.125448119
+0100
+@@ -205,8 +205,8 @@
+ // Get export_info.json
+ $scan = scandir( $extractpath );
+ // Check for export_info.json
+- if( !in_array( 'export_info.json', $scan ) ){
+- OC_Log::write( 'migration', 'Invalid import file,
export_info.json note found', OC_Log::ERROR );
++ if( !in_array( 'export_info.json', $scan ) ) {
++ OC_Log::write( 'migration', 'Invalid import file,
export_info.json not found', OC_Log::ERROR );
+ return json_encode( array( 'success' => false ) );
+ }
+ $json = json_decode( file_get_contents( $extractpath .
'export_info.json' ) );
+@@ -241,12 +241,19 @@
+ return json_encode( array( 'success' =>
false ) );
+ }
+ // Copy data
+- if( !self::copy_r( $extractpath .
$json->exporteduser, $datadir . '/' . self::$uid ) ){
+- return json_encode( array( 'success' =>
false ) );
++ $userfolder = $extractpath .
$json->exporteduser;
++ $newuserfolder = $datadir . '/' . self::$uid;
++ foreach(scandir($userfolder) as $file){
++ if($file !== '.' && $file !== '..' &&
is_dir($file)){
++ // Then copy the folder over
++
OC_Helper::copyr($userfolder.'/'.$file, $newuserfolder.'/'.$file);
++ }
+ }
+ // Import user app data
+- if( !$appsimported = self::importAppData(
$extractpath . $json->exporteduser . '/migration.db', $json, self::$uid ) ){
+- return json_encode( array( 'success' =>
false ) );
++ if(file_exists($extractpath .
$json->exporteduser . '/migration.db')){
++ if( !$appsimported =
self::importAppData( $extractpath . $json->exporteduser . '/migration.db',
$json, self::$uid ) ) {
++ return json_encode( array(
'success' => false ) );
++ }
+ }
+ // All done!
+ if( !self::unlink_r( $extractpath ) ){
+@@ -311,37 +318,6 @@
+ }
+
+ /**
+- * @brief copies recursively
+- * @param $path string path to source folder
+- * @param $dest string path to destination
+- * @return bool
+- */
+- private static function copy_r( $path, $dest ){
+- if( is_dir($path) ){
+- @mkdir( $dest );
+- $objects = scandir( $path );
+- if( sizeof( $objects ) > 0 ){
+- foreach( $objects as $file ){
+- if( $file == "." || $file == ".." ||
$file == ".htaccess")
+- continue;
+- // go on
+- if( is_dir( $path . '/' . $file ) ){
+- self::copy_r( $path .'/' .
$file, $dest . '/' . $file );
+- } else {
+- copy( $path . '/' . $file,
$dest . '/' . $file );
+- }
+- }
+- }
+- return true;
+- }
+- elseif( is_file( $path ) ){
+- return copy( $path, $dest );
+- } else {
+- return false;
+- }
+- }
+-
+- /**
+ * @brief tries to extract the import zip
+ * @param $path string path to the zip
+ * @return string path to extract location (with a trailing slash) or
false on failure
+Index: owncloud-4.0.4debian2/lib/helper.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/helper.php 2012-06-26 21:54:07.000000000
+0200
++++ owncloud-4.0.4debian2/lib/helper.php 2012-12-04 22:19:42.125448119
+0100
+@@ -309,7 +309,8 @@
+ self::copyr("$src/$file",
"$dest/$file");
+ }
+ }
+- }elseif(file_exists($src)){
++
++ }elseif(file_exists($src) &&
!OC_Filesystem::isFileBlacklisted($src)) {
+ copy($src, $dest);
+ }
+ }
diff -Nru owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch
owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch
--- owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch
1970-01-01 01:00:00.000000000 +0100
+++ owncloud-4.0.4debian2/debian/patches/09_oc-sa-2012-005.patch
2012-12-04 22:19:51.000000000 +0100
@@ -0,0 +1,52 @@
+Index: owncloud-4.0.4debian2/lib/filesystem.php
+===================================================================
+--- owncloud-4.0.4debian2.orig/lib/filesystem.php 2012-12-04
21:56:35.000000000 +0100
++++ owncloud-4.0.4debian2/lib/filesystem.php 2012-12-04 22:19:45.133463687
+0100
+@@ -361,12 +361,16 @@
+ * @return bool
+ */
+ static public function isValidPath($path){
++ $path = str_replace('\\', '/', $path);
+ if(!$path || $path[0]!=='/'){
+ $path='/'.$path;
+ }
+ if(strstr($path,'/../') || strrchr($path, '/') === '/..' ){
+ return false;
+ }
++ if(self::isFileBlacklisted($path)){
++ return false;
++ }
+ return true;
+ }
+
+@@ -375,21 +379,23 @@
+ * Listens to write and rename hooks
+ * @param array $data from hook
+ */
+- static public function isBlacklisted($data){
+- $blacklist = array('.htaccess');
++ static public function isBlacklisted($data) {
+ if (isset($data['path'])) {
+ $path = $data['path'];
+ } else if (isset($data['newpath'])) {
+ $path = $data['newpath'];
+ }
+ if (isset($path)) {
+- $filename = strtolower(basename($path));
+- if (in_array($filename, $blacklist)) {
+- $data['run'] = false;
+- }
++ $data['run'] = !self::isFileBlacklisted($path);
+ }
+ }
+-
++
++ static public function isFileBlacklisted($path){
++ $blacklist = array('.htaccess');
++ $filename = strtolower(basename($path));
++ return in_array($filename, $blacklist);
++ }
++
+ /**
+ * following functions are equivilent to their php buildin equivilents
for arguments/return values.
+ */
diff -Nru owncloud-4.0.4debian2/debian/patches/series
owncloud-4.0.4debian2/debian/patches/series
--- owncloud-4.0.4debian2/debian/patches/series 2012-09-22 16:03:47.000000000
+0200
+++ owncloud-4.0.4debian2/debian/patches/series 2012-12-04 22:43:34.000000000
+0100
@@ -15,4 +15,7 @@
remove_unused_unsecure_files.diff
BTS688394.diff
backported_security_fixes.diff
-
+06_oc-sa-2012-001.patch
+07_oc-sa-2012-002.patch
+08_oc-sa-2012-004.patch
+09_oc-sa-2012-005.patch
